Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Separate Duties at the VA

Separate duties at the VA covers situations where team members need to review packages/releases/tagged items without seeing source code.

Some teams at the VA might have processes that require a separation of duties, where users can pull down releases and associated files, but should not be able to view or manipulate the original source code either remotely or locally. To meet this requirement, the project being audited will need two repositories: one for the project source code and another for the releases themselves.

Separate duties at the VA

To assist with the management of projects requiring separation of duties, we suggest following these measures to ensure ease of use:

  • Duty-based teams appended with -devs, -auditors, and -admins
    • -devs teams will have write access to both the source code and distributions repositories
    • -auditors teams will have read access to the distributions repositories
    • -admins teams will have admin access to both the source code and distributions repositories
      • This team is responsible for repository settings
  • Project repository naming conventions
    • Create the source code repository and name as appropriate and set to private
      • Assign -devs team to have write access
      • Assign -admins team to have admin access
    • Create the release-only with the same name as the source code repository, but append -dist (example: pharmx and pharmx-dist)
      • Assign -devs team to have write access
      • Assign -auditors team to have read access
      • Assign -admins team to have admin access
  • README.md additions
    • README.md files should contain the related repository information (example: Source code: (link to repo) or Distributions: (link to -dist repo))
    • Team information for each duty (example: pharmx-devs and pharmx-auditors

Return to Guides